s3:libsmb/ntlmssp: an empty string should mean no password
Andrew Bartlett
abartlet at samba.org
Mon Apr 16 16:47:21 MDT 2012
On Mon, 2012-04-16 at 14:45 +0200, Stefan Metzmacher wrote:
> The branch, master has been updated
> via 51e3bbd s4:libcli/smb2: fix anonymous session setups against windows servers
> via daa5cec s4:libcli/smb2: remove unused dependency to LIBPACKET
> via 66d7553 s3:libsmb: fix anonymous session setups against windows servers
> via 92483ee s3:libsmb/ntlmssp: an empty string should mean no password
> via b0939c5 libcli/smb: move smb2cli_session_setup_*() prototypes to the code.
> via 6054e9a libcli/smb: add smb2cli_session_get_flags()
> via c60c2c5 libcli/smb: we should not force a session key for anonymous connections
> from b23f5a9 libcli/smb: make use of data_blob_string_const_null()
>
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>
> commit 92483eee254ef6844fe88abe1e64f67033a1ea2d
> Author: Stefan Metzmacher <metze at samba.org>
> Date: Mon Apr 16 12:32:28 2012 +0200
>
> s3:libsmb/ntlmssp: an empty string should mean no password
>
> metze
Are you sure this is correct? With this change, how would we connect to
a server that had "" stored as the password?
I agree this is difficult, but for the anonymous login shouldn't we
check for the "" username instead?
For guest logins, I really don't know how we should handle this - the
behaviour of 'map to guest = bad user' (ie, the windows behaviour)
allows any login name, and presumably even a password. It is indeed
best to decide this client-side (so we are not fooled into downgraded
security by an un-signed return flag), but I'm not convinced this is the
right approach.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list